Primary

Context

Spring Framework Algorithmic Denial-of-Service Vulnerability via User-Supplied SpEL Expressions

Vulnerability

Patched

A vulnerability exists in Spring Framework versions 7.0.0 through 7.0.7, 6.2.0 through 6.2.18, 6.1.0 through 6.1.27, and 5.3.0 through 5.3.48, all of which are no longer supported. Applications that evaluate user-supplied Spring Expression Language (SpEL) expressions can be exploited to cause an Algorithmic Denial-of-Service (DoS). By crafting a specific expression, an attacker can induce excessive resource consumption during the evaluation process, leading to application degradation or unavailability.

Impact

Exploitation of this vulnerability causes excessive resource consumption, leading to application degradation or unavailability.

Remediation

Users of affected versions should upgrade to the fixed version. The upgrade versions are: 7.0.8 (OSS) or 7.0.7.1 (Commercial), 6.2.19 (OSS) or 6.2.18.1 (Commercial), 6.1.28 (Commercial) and 5.3.49 (Commercial).

Added: Jun 9, 2026, 6:14 AM

Updated: Jun 9, 2026, 6:14 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.7

remediation

7.7

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Framework Algorithmic Denial-of-Service Vulnerability via User-Supplied SpEL Expressions

Vulnerability

Impact

Remediation

Affected Products

Spring Framework

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating